Certified Cloud Security Professional Study Guide Chapter 7 Review Questions (Ben Masilow) Flashcards
Which of the following best represents the REST approach to APIs?
A. Built on protocol standards
B. Lightweight and scalable
C. Relies heavily on XML
D. Only supports XML output
B. Lightweight and scalable
Explanation:
The other answers all list aspects of SOAP
Which of the following is not commonly included in the phases of SDLC?
A. Define
B. Reject
C. Design
D. Test
B. Reject
Explanation:
The other answers are all possible stages used in software development
Which of the following is not a component of the STRIDE model?
A. Spoofing
B. Repudiation
C. Information Disclosure
D. External pen testing
D. External pen testing
Explanation:
The other answers all include aspects of the STRIDE model
Which of the following best describes SAST?
A. White-box testing
B. Black-box testing
C. Gray-box testing
D. Read-team testing
A. White-box testing
Explanation:
A SAST involves source code review, often referred to as white-boxing testing
Which of the following confirms that the identity assertion belongs to the entity presenting it?
A. Identification
B.Authentication
C. Authorization
D. Inflammation
B.Authentication
Explanation:
This is the definition of authentication
Which of the following best describes a sandbox?
A. An isolated space where transactions are protected from malicious software
B. A space where you can safely execute malicious code to see what it does
C. An isolated space where untested code and experimentation can safely occur separate from the production environment
D. An isolated space where untested code and experimentation can safely occur within the production environment
C. An isolated space where untested code and experimentation can safely occur separate from the production environment
Explanation:
Options A and B are also correct, but C is more general and incorporates them both.
D is incorrect because sandboxing does not take place in the production environment
Identity and access management (IAM) is a security discipline intended to ensure __________
A. All users are properly authorized
B. The right individual gets access to the right resources at the right time for the right reasons
C. All users are properly authenticated
D. Unauthorized users will get access to the right resources at the right time for the right reasons
B. The right individual gets access to the right resources at the right time for the right reasons
Explanation:
Options A and C are also correct, but included in B, making B the best choice.
D is incorrect because we do not want unauthorized users gaining access.
In a federated identity arrangement using a trusted third-party model, who is the identity provider and who is the relying party?
A. A contracted third party/the various member organizations of the federation
B. The users of the various organizations within the federation/a CASB
C. Each member organization/a trusted third party
D. Each member organization/each member organization
A. A contracted third party/the various member organizations of the federation
Explanation:
In a trusted third-party model of federation, each member organization outsources the review and approval task to a third party they all trust.
This makes the third party the identifier (it issues and manages identities for all users in all organizations in the federation), and the various member organizations are the relying parties (the resource provides that share resources based on approval from the third party)
Which of the following best describes the Organizational Normative Framework (ONF)?
A. A container for components of an applications’ security controls and best practices cataloged and leveraged by the organization
B. A framework of containers for all components of application security controls and best practices cataloged and leveraged by the organization
C. A subset of application security controls and best practices cataloged and leveraged by the organization
D. A framework of containers for some of the components of application security controls and best practices catalogued and leveraged by the organization
B. A framework of containers for all components of application security controls and best practices cataloged and leveraged by the organization
Explanation:
Option A is incorrect because it refers to a specific applications security elements, meaning it is about an ANF, not the ONF.
C is true, but not as complete as B, making B the better choice.
D suggests that the framework contains only “some” of the components, which is why B (which describes “all” components) is better.
APIs typically are built with REST or ______
A. XML
B. SSL
C. SOAP
D. TEMPEST
C. SOAP
Explanation:
REST and SOAP are two common ways to build APIs.
Although SOAP is based on XML, SOAP is more accurate.
The other two answers are not used for making APIs
The ANF is best described as which of the following?
A. A standard-alone framework for storing security practices for the ONF
B. A subset of the ONF
C. A superset of the ONF
D. The complete ONF
B. A subset of the ONF
Explanation:
Remember, there is a one-to-many ratio of ONF to ANF; each organization has one ONF and many ANFs (one for each application in the organization)
Therefore, the ANF is a subset of the ONF
Which of the following best describes SAML?
A. A standard for developing secure application management logistics
B. A standard for exchanging authentication and authorization data between security domains
C. A standard for exchanging usernames and passwords across devices
D. A standard used for directory synchronization
B. A standard for exchanging authentication and authorization data between security domains
Explanation:
Option C is also true, but not as comprehensive as B
A and D are simply not true
Which of the following best describes the purpose and scope of ISO/IEC 27034-1?
A. Describes international privacy standards for cloud computing
B. Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security
C. Serves as a newer replacement for NIST 800-53 r4
D. Provides an overview of network and infrastructure security designed to secure cloud applications
B. Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security
Explanation:
Option B is a description of the standard; the others are not
Which of the following terms means “to perceive software from the perspective of the attacker in order to locate/detect potential vulnerabilities”?
A. Rendering
B. Galloping
C. Agile
D. Threat modeling
D. Threat modeling
Explanation:
This is the definition of threat modeling
Database activity monitoring (DAM) can be ______
A. Host-based or network-based
B. Reactive or imperative
C. Used in the place of encryption
D. Used in place of data masking
A. Host-based or network-based
Explanation:
We do not use DAM in place of encryption or masking; DAM augments these options without replacing them
“Reactive or imperative” has no meaning in this content, and is only a distractor
